asp.net mvc5:如何使模型ID隐藏,以便没有人可以使用inspect元素从浏览器更改

时间:2022-09-12 09:14:08

I have a model named 'User' having fields 'UserId, Username, Status', In index page i am enlisting all users along with edit , delete functionality. Here is my code

我有一个名为'User'的模型,其字段为'UserId,Username,Status',在索引页面中,我正在招募所有用户以及编辑,删除功能。这是我的代码

@foreach (var item in Model)
{
   <table>
     <tr>
       <td>@Html.DisplayFor(modelItem => item.Username)</td>
       <td>@Html.DisplayFor(modelItem => item.Status)</td>
       <td><input type='button' id='btnEdit' data-id='@item.UserId' value='Edit'/></td>
     </tr>
   </table>
}

It is rendered as

它呈现为

   <table>
     <tr>
       <td>USER ONE</td>
       <td>active</td>
       <td><input type='button' id='btnEdit' data-id='1041' value='Edit'/></td>
     </tr>
     <tr>
       <td>USER TWO</td>
       <td>active</td>
       <td><input type='button' id='btnEdit' data-id='1042' value='Edit'/></td>
     </tr>
   </table>

And upon clicking btnEdit, i user jQuery ajax call to controller like this:

点击btnEdit后,用户jQuery ajax调用控制器如下:

$("#btnEdit").on("click", function () {
    $.ajax({
        cache: false,
        type: "POST",
        url: "/User/Edit",
        data: $(this).data('id'),
        success: function (response) {
            //rest of code here
        }
    });
});

QUESTION:

题:

How to make UserId hidden and call it from jquery against selected row, so that no one can change from browser using inspect element

如何隐藏UserId并从jquery对所选行调用它,以便没有人可以使用inspect元素从浏览器更改

2 个解决方案

#1


0  

For future readers, I wanted to mark this question as solved, thanks Stephen Muecke, Vinay Singh, Zoran for their valuable time and guidance.

对于未来的读者,我想将这个问题标记为已解决,感谢Stephen Muecke,Vinay Singh,Zoran的宝贵时间和指导。

Here are the steps what i did to make my site less vulnerable.

以下是我为使网站不易受到影响而采取的措施。

  1. Used form with Antiforgerytoken to disrespect any such malicious requests. (as suggested by Vinay Singh)

    与Antiforgerytoken一起使用的形式不尊重任何此类恶意请求。 (由Vinay Singh建议)

  2. Encrypted / Decrypted my ids so that atleast normal end user cannot play with them by changing their value. (as suggested by Zoran)

    加密/解密我的ID,以便至少普通最终用户无法通过更改其值来玩它们。 (根据佐兰的建议)

  3. Most importantly to prevent from bad end user, i am validating each request at server side, whether or not current user is authorized to make this request etc. (as suggested by Sir Stephen Muecke)

    最重要的是为了防止坏终端用户,我在服务器端验证每个请求,当前用户是否有权发出此请求等(正如Stephen Muecke爵士所建议的那样)

#2


-1  

If you need to call it from jQuery it means it is available on client side, which means it is available to visitor's browser, which means he is able to change it.

如果你需要从jQuery调用它,这意味着它可以在客户端使用,这意味着它可供访问者的浏览器使用,这意味着他可以更改它。

If you needed it on the Code side only, you could use Session, but there is no way for you to hide something which is on the client side.

如果你只在代码端需要它,你可以使用Session,但你无法隐藏客户端的东西。

For the same issue I used this: Simple insecure two-way "obfuscation" for C#

对于同样的问题,我使用了这个:C#的简单不安全的双向“混淆”

#1


0  

For future readers, I wanted to mark this question as solved, thanks Stephen Muecke, Vinay Singh, Zoran for their valuable time and guidance.

对于未来的读者,我想将这个问题标记为已解决,感谢Stephen Muecke,Vinay Singh,Zoran的宝贵时间和指导。

Here are the steps what i did to make my site less vulnerable.

以下是我为使网站不易受到影响而采取的措施。

  1. Used form with Antiforgerytoken to disrespect any such malicious requests. (as suggested by Vinay Singh)

    与Antiforgerytoken一起使用的形式不尊重任何此类恶意请求。 (由Vinay Singh建议)

  2. Encrypted / Decrypted my ids so that atleast normal end user cannot play with them by changing their value. (as suggested by Zoran)

    加密/解密我的ID,以便至少普通最终用户无法通过更改其值来玩它们。 (根据佐兰的建议)

  3. Most importantly to prevent from bad end user, i am validating each request at server side, whether or not current user is authorized to make this request etc. (as suggested by Sir Stephen Muecke)

    最重要的是为了防止坏终端用户,我在服务器端验证每个请求,当前用户是否有权发出此请求等(正如Stephen Muecke爵士所建议的那样)

#2


-1  

If you need to call it from jQuery it means it is available on client side, which means it is available to visitor's browser, which means he is able to change it.

如果你需要从jQuery调用它,这意味着它可以在客户端使用,这意味着它可供访问者的浏览器使用,这意味着他可以更改它。

If you needed it on the Code side only, you could use Session, but there is no way for you to hide something which is on the client side.

如果你只在代码端需要它,你可以使用Session,但你无法隐藏客户端的东西。

For the same issue I used this: Simple insecure two-way "obfuscation" for C#

对于同样的问题,我使用了这个:C#的简单不安全的双向“混淆”